nixos-config/config/host-config/france/auth.nix

{ config, lib, pkgs, ... }:

with lib;
let
  hostname = config.instance.hostname;
  domain-name = config.instance.local-domain;
  site-name = config.instance.local-site;
  fqdn = "${hostname}.${domain-name}";

  # same as genAttr, but takes back attrsets and merges them
  concatGenAttrs = lst: f:
    foldr (a0: a1: a0 // a1) {} (map f lst);

  passwd = import ../../../lib/passwd.nix { inherit lib; };

  secrets = config.fudo.secrets.host-secrets.${hostname};

  cfg = config.fudo.france;

in {
  options.fudo.france = with types; {
    ldap = {
      ssl-certificate = mkOption {
        type = str;
        description = "SSL certificate to use for the LDAP server.";
      };
      ssl-private-key = mkOption {
        type = str;
        description = "SSL private key to use for the LDAP server.";
      };
      ssl-ca-certificate = mkOption {
        type = str;
        description = "SSL certificate authority to use for the LDAP server.";
      };
      keytab = mkOption {
        type = str;
        description = "Path to the LDAP service keytab.";
      };
      root-password-file = mkOption {
        type = str;
        description = "Path to the file containing the LDAP root password.";
      };
    };

    kdc = {
      state-directory = mkOption {
        type = str;
        description = "Path at which to store kerberos state.";
        default = "/state/kerberos";
      };

      master-key-file = mkOption {
        type = str;
        description = "Heimdal database master key file.";
      };

      listen-ips = mkOption {
        type = listOf str;
        description = "IP addresses on which to listen for connections.";
      };
    };
  };
  
  config = {
    fudo = {
      secrets.host-secrets.${hostname}.kdc-master-key = {
        source-file = cfg.kdc.master-key-file;
        target-file = "/run/kerberos/kdc/master.key";
        user = config.fudo.auth.kdc.user;
      };

      auth = {
        ldap-server = {
          enable = true;
          base = "dc=fudo,dc=org";
          organization = "Fudo";
          rootpw-file = cfg.ldap.root-password-file;
          kerberos-host = fqdn;
          kerberos-keytab = cfg.ldap.keytab;
          ssl-certificate = cfg.ldap.ssl-certificate;
          ssl-private-key = cfg.ldap.ssl-private-key;
          ssl-ca-certificate = cfg.ldap.ssl-ca-certificate;

          listen-uris = [ "ldap:///" "ldaps:///" "ldapi:///" ];

          users = config.fudo.users;
          groups = config.fudo.groups;
          system-users = config.fudo.system-users;
        };

        # TODO: let build hosts create keys?
        kdc = {
          enable = true;
          realm = config.fudo.domains.${domain-name}.gssapi-realm;
          state-directory = cfg.kdc.state-directory;
          master-key-file = secrets.kdc-master-key.target-file;
          acl = let
            admin-entries = concatGenAttrs
              config.instance.local-admins
              (admin: {
                "${admin}" = { perms = [ "add" "list" "change-password" ]; };
                "${admin}/root" = { perms = [ "all" ]; };
              });
          in {
            "host/*.fudo.org" = { perms = [ "add" ]; };
            "pam_migrate/*.fudo.org" = { perms = [ "add" "change-password" ]; };
          } // admin-entries;
          bind-addresses = cfg.kdc.listen-ips;
        };
      };
    };
  };
}
Partway to getting France back in the fold. Stuck on ACME certs. 2021-10-28 09:32:35 -07:00			`{ config, lib, pkgs, ... }:`

			`with lib;`
			`let`
			`hostname = config.instance.hostname;`
			`domain-name = config.instance.local-domain;`
			`site-name = config.instance.local-site;`
			`fqdn = "${hostname}.${domain-name}";`

			`# same as genAttr, but takes back attrsets and merges them`
			`concatGenAttrs = lst: f:`
			`foldr (a0: a1: a0 // a1) {} (map f lst);`

Move profiles from ./profile-config to ./profile 2021-11-02 09:34:26 -07:00			`passwd = import ../../../lib/passwd.nix { inherit lib; };`

			`secrets = config.fudo.secrets.host-secrets.${hostname};`

			`cfg = config.fudo.france;`

Partway to getting France back in the fold. Stuck on ACME certs. 2021-10-28 09:32:35 -07:00			`in {`
Move profiles from ./profile-config to ./profile 2021-11-02 09:34:26 -07:00			`options.fudo.france = with types; {`
Partway to getting France back in the fold. Stuck on ACME certs. 2021-10-28 09:32:35 -07:00			`ldap = {`
			`ssl-certificate = mkOption {`
Move profiles from ./profile-config to ./profile 2021-11-02 09:34:26 -07:00			`type = str;`
Partway to getting France back in the fold. Stuck on ACME certs. 2021-10-28 09:32:35 -07:00			`description = "SSL certificate to use for the LDAP server.";`
			`};`
			`ssl-private-key = mkOption {`
Move profiles from ./profile-config to ./profile 2021-11-02 09:34:26 -07:00			`type = str;`
Partway to getting France back in the fold. Stuck on ACME certs. 2021-10-28 09:32:35 -07:00			`description = "SSL private key to use for the LDAP server.";`
			`};`
			`ssl-ca-certificate = mkOption {`
Move profiles from ./profile-config to ./profile 2021-11-02 09:34:26 -07:00			`type = str;`
Partway to getting France back in the fold. Stuck on ACME certs. 2021-10-28 09:32:35 -07:00			`description = "SSL certificate authority to use for the LDAP server.";`
			`};`
Move profiles from ./profile-config to ./profile 2021-11-02 09:34:26 -07:00			`keytab = mkOption {`
			`type = str;`
			`description = "Path to the LDAP service keytab.";`
			`};`
			`root-password-file = mkOption {`
			`type = str;`
			`description = "Path to the file containing the LDAP root password.";`
			`};`
Partway to getting France back in the fold. Stuck on ACME certs. 2021-10-28 09:32:35 -07:00			`};`

			`kdc = {`
			`state-directory = mkOption {`
			`type = str;`
			`description = "Path at which to store kerberos state.";`
Move profiles from ./profile-config to ./profile 2021-11-02 09:34:26 -07:00			`default = "/state/kerberos";`
Partway to getting France back in the fold. Stuck on ACME certs. 2021-10-28 09:32:35 -07:00			`};`

			`master-key-file = mkOption {`
			`type = str;`
			`description = "Heimdal database master key file.";`
			`};`
Move profiles from ./profile-config to ./profile 2021-11-02 09:34:26 -07:00
			`listen-ips = mkOption {`
			`type = listOf str;`
			`description = "IP addresses on which to listen for connections.";`
			`};`
Partway to getting France back in the fold. Stuck on ACME certs. 2021-10-28 09:32:35 -07:00			`};`
			`};`

			`config = {`
			`fudo = {`
Move profiles from ./profile-config to ./profile 2021-11-02 09:34:26 -07:00			`secrets.host-secrets.${hostname}.kdc-master-key = {`
			`source-file = cfg.kdc.master-key-file;`
			`target-file = "/run/kerberos/kdc/master.key";`
			`user = config.fudo.auth.kdc.user;`
Partway to getting France back in the fold. Stuck on ACME certs. 2021-10-28 09:32:35 -07:00			`};`

			`auth = {`
Move profiles from ./profile-config to ./profile 2021-11-02 09:34:26 -07:00			`ldap-server = {`
Partway to getting France back in the fold. Stuck on ACME certs. 2021-10-28 09:32:35 -07:00			`enable = true;`
			`base = "dc=fudo,dc=org";`
			`organization = "Fudo";`
Move profiles from ./profile-config to ./profile 2021-11-02 09:34:26 -07:00			`rootpw-file = cfg.ldap.root-password-file;`
Partway to getting France back in the fold. Stuck on ACME certs. 2021-10-28 09:32:35 -07:00			`kerberos-host = fqdn;`
Move profiles from ./profile-config to ./profile 2021-11-02 09:34:26 -07:00			`kerberos-keytab = cfg.ldap.keytab;`
			`ssl-certificate = cfg.ldap.ssl-certificate;`
			`ssl-private-key = cfg.ldap.ssl-private-key;`
			`ssl-ca-certificate = cfg.ldap.ssl-ca-certificate;`
Partway to getting France back in the fold. Stuck on ACME certs. 2021-10-28 09:32:35 -07:00
			`listen-uris = [ "ldap:///" "ldaps:///" "ldapi:///" ];`

			`users = config.fudo.users;`
			`groups = config.fudo.groups;`
			`system-users = config.fudo.system-users;`
			`};`

			`# TODO: let build hosts create keys?`
			`kdc = {`
			`enable = true;`
Move profiles from ./profile-config to ./profile 2021-11-02 09:34:26 -07:00			`realm = config.fudo.domains.${domain-name}.gssapi-realm;`
			`state-directory = cfg.kdc.state-directory;`
			`master-key-file = secrets.kdc-master-key.target-file;`
Partway to getting France back in the fold. Stuck on ACME certs. 2021-10-28 09:32:35 -07:00			`acl = let`
			`admin-entries = concatGenAttrs`
			`config.instance.local-admins`
			`(admin: {`
			`"${admin}" = { perms = [ "add" "list" "change-password" ]; };`
			`"${admin}/root" = { perms = [ "all" ]; };`
			`});`
			`in {`
			`"host/*.fudo.org" = { perms = [ "add" ]; };`
			`"pam_migrate/*.fudo.org" = { perms = [ "add" "change-password" ]; };`
			`} // admin-entries;`
Move profiles from ./profile-config to ./profile 2021-11-02 09:34:26 -07:00			`bind-addresses = cfg.kdc.listen-ips;`
Partway to getting France back in the fold. Stuck on ACME certs. 2021-10-28 09:32:35 -07:00			`};`
			`};`
			`};`
			`};`
			`}`